Internet-facing Deployment

Edit 0 6

Dynamics CRM Internet-facing Deployment - Major Steps


Topic
 Step
 Notes / Instructions
Cert
 Obtain a wildcard encryption certificate (recommended by Microsoft) Alternatives: SAN certificate, Enterprise CA
 Certificates are required for both AD FS 2.x and Microsoft Dynamics CRM to encrypt network traffic. This certificate should be trusted by the computer where you installed CRM so it must be located in the local Personal store where the Configure Claims-Based Authentication Wizard is running. The CRMAppPool account of each Microsoft Dynamics CRM website must have read permission to the private key of the encryption certificate specified when configuring claims-based authentication. You can use the Certificates snap-in to edit permissions for the encryption certificate found in the Personal store of the local computer account.
DNS
 DNS Settings
 Before configuring CRM for claims-based authentication, you should configure your internal and public domain records and firewall so the various CRM and AD FS endpoints resolve correctly.
ADFS
 Configure AD FS 2.0
 Microsoft Dynamics CRM 2013 Server supports Active Directory Federation Services (AD FS) 2.0, 2.1, 2.2 and 3.0 versions. Before starting the configuration wizard, ensure a suitable encryption certificate is installed on the default website. The name on the certificate must specify an external name for AD FS 2.0 (for example, sts.contoso.com). See section “Configure AD FS 2.0” below in this document.
CRM
 Configure Claims-Based Authentication for Dynamics CRM
 Use the CRM Deployment Manager to configure claims-based authentication. Set the CRM binding type and root domains.
ADFS
 Add relying party trust and configure claims rules
 After claims-based authentication is enabled, a relying party trust must be added to AD FS for Microsoft Dynamics CRM for each type of access that will be used (internal or IFD access). Claim rules specify what information is provided in the token that contains a set of claims based on the identity information that is provided.
CRM
 Configure Internet-facing deployment for Dynamics CRM
 Run the Configure Claims-Based Authentication Wizard from the CRM Deployment Manager tool.
IE
 Add AD FS website to Intranet zone in IE
 Because the AD FS website is loaded as a FQDN, Internet Explorer places it in the Internet zone. By default, Internet Explorer clients do not pass Kerberos tickets to websites in the Internet zone. You must add the AD FS website to the Intranet zone in Internet Explorer on each client computer accessing CRM internally.
SPN
 Register the AD FS server as an SPN
 1. Rerun the Configure Claims-Based Authentication Wizard and advance to the Specify the security token service page. Note the AD FS 2.0 server in the Federation metadata URL (for example, sts1.contoso.com). 2. Open a command prompt. 3. Type the following commands: (replace your data in the example command below) c:\>setspn -s http/sts1.contoso.com contoso\crmserver$ (If you’ve deployed AD FS on a second server, replace crmserver$ with adfsserver$ in the above sample command. Adfsserver is the name of the server running AD FS) Then restart IIS.
CRM
 Test External Access to CRM



Troubleshooting

http://technet.microsoft.com/en-us/library/jj203437.aspx





.